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Abstract 

Singleton  kinds  provide  an  elegant  device  for  expressing  type  equality  information  resulting  from  modern 
module  languages,  but  they  can  severely  complicate  the  metatheory  of  languages  in  which  they  appear.  I 
present  a  translation  from  a  language  with  singleton  kinds  to  one  without,  and  prove  that  translation  to 
be  sound  and  complete.  This  translation  is  useful  for  type-preserving  compilers  generating  typed  target 
languages.  The  proof  of  soundness  and  completeness  is  done  by  normalizing  type  equivalence  derivations 
using  Stone  and  Harper’s  type  equivalence  decision  procedure. 
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1  Introduction 


Type-preserving  compilation,  compilation  using  statically  typed  intermediate  languages,  offers  many  com¬ 
pelling  advantages  over  conventional  untyped  compilation.  A  typed  compiler  can  utilize  type  information 
to  enable  optimizations  that  would  otherwise  be  prohibitively  difficult  or  impossible.  Internal  type  check¬ 
ing  can  be  used  to  help  debug  a  compiler  by  catching  errors  introduced  into  programs  in  optimization  or 
transformation  stages.  Finally,  if  preserved  through  the  compiler  to  its  ultimate  output,  types  can  be  used 
»  to  certify  that  executables  are  safe,  that  is,  free  of  certain  fatal  errors  or  malicious  behavior  [10]. 

One  major  challenge  that  has  arisen  in  extending  type-preserving  compilation  to  full-strength  languages  with 
modern  module  systems,  such  as  Standard  ML  [8],  is  accounting  for  the  propagation  of  type  information. 
For  example,  consider  the  following  SML  signature: 

signature  SIG1  = 
sig 

type  t  =  int 
val  x  :  t 

val  f  :  t  ->  t 

end 

If  S  is  a  structure  having  signature  SIG1,  the  compiler  must  remember  that  S.t  is  interchangeable  with 
int  throughout  the  remaining  compilation  process.  However,  it  is  unacceptable  simply  to  treat  t  as  a 
straight  abbreviation  and  delete  it  from  the  signature,  because  SML’s  type  system  requires  that  SIG1  be  a 
subsignature  (i.e.,  subtype)  of  the  signature  SIG2  obtained  by  removing  the  equality  part  of  the  specification:1 

signature  SIG2  = 
sig 

type  t 
val  x  :  t 

val  f  :  t  ->  t 

end 

The  TILT  compiler  in  development  at  Carnegie  Mellon  University  (the  successor  to  the  TIL  compiler  [16]) 
addresses  this  problem  using  singleton  kinds,  a  very  elegant  and  uniform  type-theoretic  mechanism  for 
ensuring  the  propagation  of  type  information.  Kinds  are  used  in  type  theories  containing  higher-order  type 
constructors  to  classify  type  constructors  just  as  types  classify  ordinary  terms.  Using  singleton  kinds,  S.t  is 
given  the  kind  S(int),  the  kind  containing  only  the  type  int  (and  types  equal  to  it).  Propagation  of  type 
information  is  then  obtained  by  augmenting  the  typechecker  with  the  rule  that  if  r  has  kind  S(t'),  then 
r  =  t'.  The  necessary  subsignature  relationship  is  obtained  by  observing  that  S(int)  is  a  subkind  of  the 
kind  T  of  all  types.  The  management  of  type  information  for  modules  using  formalisms  similar  to  singleton 
kinds  are  explored  in  detail  by  Harper  and  Lillibridge  [4]  and  Leroy  [7]. 

Despite  providing  a  very  elegant  solution  to  the  type  propagation  problem,  singleton  kinds  can  substantially 
m  complicate  type  checking,  for  reasons  discussed  in  Section  2.  Stone  and  Harper  [15]  have  recently  shown 

that,  despite  these  complications,  type  checking  is  decidable  in  the  presence  of  singleton  kinds,  and  indeed 
is  decidable  by  a  practical  algorithm.  However,  the  correctness  proof  for  their  algorithm  is  somewhat 
complicated. 

0 

As  discussed  above,  a  principal  advantage  of  type-preserving  compilation  is  the  possibility  of  producing 
executables  certified  for  safety  by  preserving  types  all  the  way  through  the  compiler  to  its  ultimate  executable 

xThis  is  not  an  arbitrary  requirement  in  the  design  of  SML.  It  is  necessary  to  support  a  very  common  and  useful  idiom  for 
code  reuse:  that  of  writing  generic  code  predicated  on  an  abstract  signature,  and  constraining  that  abstract  signature  with  the 
desired  concrete  types  where  the  generic  code  is  to  be  used. 
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kinds  AT 

constructors  c 

assignments  F 


=  T  |  5(c)  |  ITq:A'i  ,A'2  \  £a:A,  Ji2 
=  q  |  6  |  Xa:K.c  |  CiC2  |  (ci,c2)  1 7Tic  1 7r2c 
=  e  |  r,  a:  A' 


Figure  1:  Syntax 


output.  This  work  was  motivated  by  the  desire  to  compile  Standard  ML  (with  its  module  language)  to  Typed 
Assembly  Language  (TAL)  [10]  for  safety  certification.  However,  the  latter  phases  of  a  type-preserving 
compiler  may  involve  complicated  type  systems  including  not  only  TAL,  but  also  row  polymorphism  for 
stacks  [9],  inductive  kinds  for  intentional  type  analysis  [2],  and  types  for  tracking  aliasing  [14].  It  is  not  clear 
whether  Stone  and  Harper’s  algorithm  extends  to  these  type  systems  augmented  with  singleton  kinds,  and  if 
so,  how  easily  its  correctness  can  be  proven.  Moreover,  there  already  exist  a  variety  of  tools  for  manipulating 
low-level  typed  languages  that  do  not  support  singleton  kinds. 

I  propose  an  alternative  architecture  for  a  type-preserving  compiler  for  Standard  ML  that  employs  singleton 
kinds  in  the  compiler’s  front  end,  which  performs  ML-specific  optimizations  and  transformations,  but  not  in 
the  back  end,  which  may  use  complicated  type  systems  for  code  generation  and  low-level  transformations. 
This  allows  the  back  end  to  use  singleton-free  languages  and  tools,  while  still  providing  the  full  benefit  of 
singleton  kinds  to  the  front  end.  However,  for  this  to  be  possible,  we  require  a  way  to  eliminate  singleton 
kinds  without  changing  the  meaning  of  the  programs  in  which  they  appear. 

In  this  paper  I  present  such  a  strategy  for  singleton  kind  elimination.  The  singleton  elimination  process 
works  by  substituting  definitions  for  free  variables  wherever  singleton  kinds  give  such  definitions.  This  is 
intuitively  a  very  attractive  strategy,  but  it  is  complicated  by  some  subtle  issues  arising  from  higher-order 
type  constructors  and  its  correctness  is  not  trivial  to  prove. 

The  elimination  strategy  is  correct  (that  is,  sound  and  complete)  in  the  following  sense:  if  J  is  a  judgement 
in  the  singleton  kind  calculus  and  J'  is  its  corresponding  judgement  in  the  singleton  free  system  (provided 
by  the  singleton  elimination  process),  then  J  is  derivable  if  and  only  if  J'  is  derivable.  This  means  that 
the  elimination  process  does  not  cause  any  programs  to  cease  to  typecheck,  nor  does  it  allow  any  programs 
to  typecheck  that  would  not  have  before.  The  proof  of  this  fact  is  the  central  technical  contribution  of  the 
paper. 

This  paper  is  organized  as  follows:  In  Section  2,  I  formalize  the  singleton  kind  calculus  and  discuss  some 
of  its  subtleties  that  make  it  complicated  to  work  with.  In  Section  3,  I  present  the  singleton  elimination 
strategy  and  state  its  correctness  theorem.  Section  4  is  dedicated  to  the  proof  of  the  correctness  theorem, 
and  concluding  remarks  appear  in  Section  5. 

This  paper  assumes  familiarity  with  type  systems  with  higher-order  type  constructors  and  dependent  types. 
The  correctness  proof  draws  from  the  work  of  Stone  and  Harper  [15]  showing  decidability  of  type  equivalence 
in  the  presence  of  singleton  kinds,  but  we  will  use  their  results  almost  entirely  “olf  the  shelf,”  so  familiarity 
with  their  paper  is  not  required. 


2  A  Singleton  Kind  Calculus 


We  begin  by  formalizing  the  singleton  calculus  that  is  the  subject  of  this  paper.  The  syntax  of  the  singleton 
calculus  is  given  in  Figure  1.  It  consists  of  a  class  of  type  constructors  (usually  referred  to  as  “constructors” 
for  brevity)  and  a  class  of  kinds,  which  classify  constructors.  The  class  of  constructors  contains  variables 
(ranged  over  by  a),  a  collection  of  base  types  (ranged  over  by  b),  and  the  usual  introduction  and  elimination 
forms  for  functions  and  pairs  over  constructors.  We  could  also  add  a  collection  of  primitive  type  operators 
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funsig  FSIG  (S  : 


signature  SIG3  = 
sig 

type  s 
type  t  =  int 
type  u  =  s  *  t 
. . .  value  fields  . .  . 
end 


sig 
type  s 

. .  .  value  fields  .  .  . 
end)  = 

sig 
type  t 

type  u  =  S.s  *  t 
. . .  value  fields  . . . 
end 


Figure  2:  Sample  Signatures 


(such  as  list  or  ->)  without  difficulty,  but  have  not  done  so  in  the  interest  of  simplicity. 

The  kind  structure  is  the  novelty  of  the  singleton  calculus.  The  base  kinds  include  T,  the  kind  of  all 
types,  and  S(c),  the  kind  of  all  types  definitionally  equal  to  c.  Thus,  S(c)  represents  a  singleton  set,  up 
to  definitional  equality.  The  constructor  c  in  S(c )  is  permitted  to  be  open,  and  consequently  kinds  may 
contain  free  constructor  variables,  which  makes  it  useful  to  have  dependent  kinds.  The  kind  Ha.K1.K2 
contains  functions  from  K\  to  K2,  where  a  refers  to  the  function’s  argument  and  may  appear  free  in  K->- 
Analogously,  the  kind  Ha:K\  ,/vo  contains  pairs  of  constructors  from  K\  and  K2,  where  a  refers  to  the  left- 
hand  member  and  may  appear  free  in  A^.  As  usual,  when  a  does  not  appear  free  in  K>,  we  write  Ha.K1.K2 
as  -4  K-2  and  '£a:Kl  .Ko  as  Afi  x  A'2 . 

In  addition,  the  syntax  provides  a  class  of  assignments,  which  assign  kinds  to  free  constructor  variables, 
for  use  in  the  calculus’s  static  semantics.  In  a  practical  application,  the  language  would  be  extended  with 
an  additional  class  of  terms,  but  for  our  purposes  (which  deal  with  constructor  equality)  we  need  not  be 
concerned  with  terms,  so  they  are  omitted. 

As  usual,  alpha-equivalent  expressions  (written  A  =  A')  are  taken  to  be  identical.  The  capture-avoiding 
substitution  of  c  for  a  in  A  (where  A  is  a  kind,  constructor  or  assignment)  is  written  A{c/a}.  We  also  will 
often  desire  to  define  substitutions  independent  of  a  particular  place  of  use,  so  when  <7  is  a  substitution,  we 
denote  the  application  of  a  to  the  expression  A  by  A  {a}.  Separately  defined  substitutions  will  usually  be 
written  in  the  form  {ci/au}  ■  •  •  {cn/a„},  denoting  a  sequential  substitution  with  the  leftmost  substitution 
taking  place  first. 

As  discussed  in  the  introduction,  the  principal  intended  use  of  singleton  kinds  is  in  conjunction  with  module 
systems.  For  example,  the  type  portion  of  signature  SIG3  in  Figure  2  is  translated  to  the  kind: 

'Ea:T.  E/3:S(int).  S{a*j3) 

Note  the  essential  use  of  dependent  sums  in  this  kind.  Dependent  products  arise  from  the  phase  splitting  [5] 
of  functors.  For  example,  after  phase-splitting,  the  type  portion  of  the  functor  signature  FSIG  in  Figure  2 
(given  in  the  syntax  of  Standard  ML  of  New  Jersey  version  110)  is  translated  to  the  kind: 

na:T.  (E/?:T.  S{a*/3 )) 


2.1  Judgements 

The  inference  rules  defining  the  static  semantics  of  the  singleton  calculus  are  given  in  Appendix  A.  A 
summary  of  the  judgements  that  these  rules  define,  and  their  interpretations,  are  given  in  Figure  3.  For  the 
most  part,  these  are  the  usual  rules  for  a  dependently  typed  lambda  calculus  with  products  and  sums  (but 
lifted  to  the  constructor  level).  Again,  the  novelty  lies  with  the  singleton  kinds.  Singleton  kinds  have  two 
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Judgement 

Interpretation 

rhok 

T  is  a  valid  assignment 

h  Tj  =  r2 

Fi  and  Fo  are  equivalent  assignments 

ri-  k 

K  is  a  valid  kind 

r  h  Ki  <  k2 

A'i  is  a  subkind  of  K-2 

V  h  Kx  =  k2 

K\  and  K-2  are  equivalent  kinds 

r  h  c  :  K 

c  is  a  valid  constructor  with  kind  K 

r  1-  d  =  c2  :  I< 

Ci  and  C2  are  equivalent  as  members  of  kind  K 

Figure  3:  Judgement  Forms 

introduction  rules  (one  for  kind  assignment  and  one  for  equivalence), 

n-c:T  r  h  c  =  c'  :  T 

The:  5(c)  r  h  c  =  c'  :  5(c) 

and  one  elimination  rule: 

The:  S(c') 

T\-c  =  c'  :T 

These  rules  capture  the  intuition  of  singleton  kinds:  The  first  says  that  any  type  belongs  to  its  own  singleton 
kind.  The  second  says  that  equivalent  types  are  also  considered  equivalent  as  members  of  their  singleton 
kind.  The  third  says  that  if  one  type  belongs  to  another’s  singleton  kind,  then  those  types  are  equivalent. 

The  complexity  of  the  singleton  calculus  arises  from  the  above  rules  in  conjunction  with  the  subkinding 
relation  generated  by  the  following  two  rules: 

T  h  c  :  T  T  H  ci  =  c2  :  T 

r  I-  5(c)  <  T  rb5(ci)  <S(c2) 

These  rules  are  essential  for  singleton  kinds  to  serve  their  intended  purpose  in  a  modern  module  system.  The 
first  allows  a  signature  to  match  a  supersignature  obtained  by  remove  equality  specifications,  as  discussed  in 
the  introduction.  The  second  allows  a  signature  to  match  another  signature  obtained  by  replacing  equality 
specifications  with  different  but  equivalent  ones. 

The  presence  of  subkinding  makes  the  usual  context-insensitive  methods  of  dealing  with  equivalence  impos¬ 
sible.  Consider  the  identity  function,  Xa:T.a,  and  the  constant  int  function,  Aa:T.int.  These  functions  are 
clearly  inequivalent  as  members  of  T  — >  T ;  that  is,  the  judgement  b  Xa:T.a  =  Aa:T.int  :  T  — >  T  is  not 
derivable.  However,  since  T  — >  T  is  a  subkind  of  5 (int)  ->  T,  these  two  functions  can  also  be  compared  as 
members  of  5 (int)  ->  T  and  in  that  kind  they  are  equivalent.  This  is  because  the  bodies  a  and  int  are 
compared  under  the  assignment  o:5(int),  under  which  a  and  int  are  equivalent  by  the  singleton  elimination 
rule.  This  example  makes  it  clear  that  to  deal  with  constructor  equivalence  in  the  singleton  calculus,  one 
must  take  into  account  the  contexts  in  which  the  constructors  appear. 

The  determination  of  equivalence  is  further  complicated  by  the  fact  that  the  classifying  kind  may  be  given 
implicitly.  For  example,  the  classifying  kind  may  be  imposed  by  a  function  on  its  argument.  Consider  the 
constructors  0(Xa:T.a)  and  0(Xa:T.  int).  These  are  well-formed  under  an  assignment  giving  0  the  kind 
(T  -4  T)  -*•  T  and  also  under  one  giving  0  the  kind  (5(int)  — ►  T)  -»•  T.  However,  for  the  same  reason  as 
above,  the  two  constructors  are  equivalent  under  the  second  assignment  but  not  the  first.  The  classifying 
kind  can  then  be  made  even  further  remote  by  making  0  a  function’s  formal  argument  instead  of  a  free 
variable,  and  so  on. 
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rpo 

def 

T 

S{c)° 

def 

T 

(n  a:K1.Ki)° 

def 

Ki° 

->k2° 

(Tkr.K^Ki)0 

def 

Kx° 

x  K2° 

Figure  4:  Singleton  Erasure 


2.2  A  Singleton-Free  System 


To  formalize  our  results,  we  also  require  a  singleton-free  target  language  into  which  to  translate  expressions 
from  the  singleton  calculus.  We  will  define  the  singleton-free  system  in  terms  of  its  differences  from  the 
singleton  calculus: 

We  will  say  that  a  constructor  c  (not  necessarily  well-formed)  syntactically  belongs  to  the  singleton-free 
calculus  provided  that  c  contains  no  singleton  kinds.  Note  that  as  a  consequence  of  containing  no  singleton 
kinds,  all  product  and  sum  kinds  may  be  written  in  non-dependent  form.  Also,  all  kinds  in  the  singleton-free 
calculus  are  well-formed. 

The  inference  rules  for  the  singleton-free  system  are  obtained  by  removing  from  the  singleton  calculus  all 
the  rules  dealing  with  subkinding  (Rules  9-13,  28  and  45)  and  all  the  rules  dealing  with  singleton  kinds 
(Rules  6,  15,  25,  34  and  35).  Note  that  derivable  judgements  into  the  singleton-free  system  must  be  built 
using  only  expressions  syntactically  belonging  to  the  singleton-free  calculus.  When  a  judgement  is  derivable 
in  the  singleton-free  system,  we  will  note  this  fact  by  marking  the  turnstile  h«/- 


3  Elimination  of  Singleton  Kinds 


The  critical  rule  in  the  static  semantics  of  the  singleton  calculus  is  the  singleton  elimination  rule  (Rule  34). 
The  main  aim  of  the  singleton  kind  elimination  process  is  to  rewrite  constructors  so  that  any  equivalences 
that  hold  for  those  constructors  may  be  derived  without  using  that  rule.  If  this  aim  is  achieved,  any 
singleton  kinds  remaining  within  the  constructors  are  not  used  (in  any  essential  way)  and  can  simply  be 
erased,  resulting  in  valid  constructors  and  derivations  in  the  singleton-free  system. 

This  erasure  process  is  made  precise  in  Figure  4,  which  defines  a  mapping  (— )°  from  singleton  calculus  kinds 
to  singleton-free  kinds  that  replaces  all  singleton  kinds  by  T.  The  erasure  mapping  is  lifted  to  constructors 
and  assignments  in  the  obvious  manner.  If  T  b  ci  =  c2  :  K  is  derivable  without  using  singleton  elimination, 
then  r°  \~sf  a°  =  c2°  :  K°  is  derivable  in  the  singleton-free  system.  A  slightly  stronger  version  of  this  fact 
is  formalized  as  Lemma  25  in  Section  4.4. 

Thus,  our  goal  is  to  rewrite  constructor  in  such  a  manner  that  the  singleton  elimination  rule  is  not  necessary. 
As  discussed  in  the  introduction,  this  rewriting  is  done  by  substituting  definitions  for  variables  whenever 
singleton  kinds  provide  such  definitions.  This  works  out  quite  simply  in  first-order  cases,  but  higher-order 
cases  raise  some  subtle  issues.  We  will  explore  these  issues  by  considering  a  number  of  examples  before 
defining  the  fully  general  elimination  process. 


Example  1  Suppose  we  are  working  under  the  assignment  a:S(int),/?:S(bool).  Naturally,  we  replace  all 
free  appearances  of  a  in  the  constructor  in  question  by  int,  and  replace  all  free  appearances  of  f3  by  bool. 
This  is  done  simply  by  performing  the  substitution  {bool//2}{int/a}  on  the  constructor  in  question. 
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In  this  example,  we  refer  to  int  as  the  expansion  of  a,  and  likewise  bool  is  the  expansion  of  0.  In  general, 
the  elimination  process  will  have  the  same  gross  structure  as  in  this  example.  For  an  assignment  F  = 
ol\ :K\ , . . . , an :K„  we  will  define  a  substitution  f?(r)  of  the  form  {c„ / an)  ■  ■  ■  {ci / a\)  where  each  c,-  is  the 
expansion  of  a, . 


Example  2  Suppose  we  are  working  under  the  assignment  T  =  a:S  (int),  0:S  (a).  In  this  case,  analogously 
to  the  previous  example,  i?(F)  is  {a//?}{int/a}.  Note  that  since  this  is  a  sequential  substitution,  it  is 
equivalent  to  the  substitution  {int//3}{int/a},  as  one  would  expect. 


Example  3  Suppose  a  is  assigned  the  kind  S(int)  x  S(bool).  In  this  case,  ttiq  is  equal  to  int  and 
7r2a  is  equal  to  bool.  We  can  write  these  equalities  into  a  constructor  by  substituting  for  a  with  the  pair 
(int,  bool). 


Example  4  In  the  previous  examples,  the  expansion  of  a  variable  a  did  not  contain  a,  but  this  is  not  true 
in  general.  Suppose  a  is  assigned  the  kind  T  x  S(int).  In  this  case,  7t2q  is  equal  to  int,  but  7Tiq  is  not 
given  a  definition  and  should  not  be  changed.  We  handle  this  by  substituting  for  a  with  the  pair  (nia,  int). 

As  this  example  illustrates,  a  good  way  to  understand  expansions  is  to  view  them  as  eta-long  forms  of 
constructors.  This  interpretation  is  precisely  correct,  provided  we  view  the  replacement  of  a  constructor  by 
its  singleton  definition  as  an  eta-expansion.  In  fact,  the  ultimate  definition  of  expansions  will  eta-expand 
constructors  uniformly,  so,  for  example,  if  a  has  kind  T  x  T,  its  expansion  will  be  (7ria,7r2a)  (instead  of  just 
a) .  This  uniformity  will  make  the  correctness  proof  simpler,  but  a  practical  implementation  would  probably 
optimize  such  cases. 


Example  5  Suppose  a  is  assigned  the  kind  Y,0:T.S(3).  Then  7r2a  is  known  to  be  equal  to  7Tia  (although 
its  precise  value  is  unknown).  In  this  case  the  expansion  of  a  is  {nia,-Kia). 


Example  6  Suppose  a  is  assigned  the  kind  E/?:S(int).S(/3).  In  this  case  7Tiq  and  7t2q  are  equal  to  int 
and  the  expansion  is  (int,  int). 

Generally,  if  a  has  the  kind  H0:R0  .K2,  the  expansion  of  a  will  be  the  pair  (ci,c2)  where  c\  is  the  expansion 
of  7Ti a,  and  c2  is  the  expansion  of  7t2q  with  the  additional  information  that  0  refers  to  7Tia  and  has  kind  K\ . 
We  may  generalize  all  the  examples  so  far  with  the  following  definition,  where  R(c,  K)  is  the  expansion  of  c 
assuming  c  is  known  to  have  kind  K : 

c 
c' 

(R(nic,  Ki),  R{tt2c,  K2{R{nlC,  Ki)/a}) 


R(c,T )  d= 
R(c,S(c'))  d4f 
Ric^cc.K!.^)  d= 


Example  7  Suppose  a  is  assigned  the  kind  II/3:r.S(list  0)  (where  list  :  T  -4  T).  Then  for  any  argument 
c,  the  application  ac  is  equal  to  listc.  Thus,  the  appropriate  expansion  of  a  is  A/3:T.list  0.  Note  that 
this  is  the  eta-long  form  of  list. 


Example  8  Suppose  a  is  assigned  the  kind  T10:T.  ( T  x  S(0)).  In  this  case,  for  any  argument  c,  7r2(ac)  is 
known  to  be  equal  to  c,  but  no  definition  is  given  for  7Ti(q  c).  Thus,  the  expansion  of  a  is  \0:T.(iri  (a  0),0). 
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These  last  two  examples  suggest  the  following  generalization  for  product  kinds: 


R(c,  Ua-.Kx.K-2)  =  Xa:K\.R{ca,K2)  (wrong) 

This  is  close  to  the  right  generalization,  but,  as  we  will  see  in  the  next  section,  it  is  not  quite  satisfactory 
due  to  the  need  to  account  for  internally  bound  variables.  Nevertheless,  it  provides  good  intuition  on  the 
process  of  expansion  over  product  kinds. 


3.1  Internally  Bound  Variables 


Thus  far  we  have  exclusively  considered  rewriting  constructors  to  account  for  the  kinds  of  their  free  variables. 
To  be  sure  that  no  uses  of  the  singleton  elimination  rule  are  necessary,  we  must  also  consider  internally 
bound  variables.  For  example,  it  would  seem  as  though  the  constructor  Aa:S(int).a  should  be  rewritten  to 
something  like  Aa:5(int).int. 

A  naive  approach  would  be  traverse  the  constructor  in  question  and  replace  every  bound  variable  with 
its  expansion  resulting  from  the  kind  in  its  binding  occurrence.  For  example,  in  Aa:S(int).a,  the  binding 
occurrence  of  a  gives  it  kind  S(int),  so  the  a  in  the  abstraction’s  body  would  be  replaced  by  R(a,  S(int))  = 
int.  However  this  traversal  is  not  sufficient  to  account  for  all  internally  bound  variables,  nor  in  fact  is  it 
even  necessary. 

To  see  why  a  traversal  is  insufficient,  suppose  /3  has  kind  (S(int)  -)T)4T  and  consider  the  constructors 
/3(Xa:T.a)  and  /3(Aa:T.int).  (Recall  Section  2.1.)  In  the  former  constructor,  the  binding  occurrence  of  a 
gives  it  kind  T,  and  consequently  the  hypothetical  traversal  would  not  replace  it.  However,  as  we  saw  in 
Section  2.1,  the  two  constructors  should  be  equal,  and  for  this  to  happen  without  the  singleton  elimination 
rule,  a  must  be  replaced  by  int  in  the  former  constructor.  What  this  illustrates  is  that  when  a  abstraction 
appears  in  an  argument  position,  the  abstraction’s  domain  kind  can  be  strengthened  (in  this  case  from  T  to 
S(int)).  This  means  that  the  kind  given  in  a  variable’s  binding  occurrence  cannot  be  relied  upon. 

One  possibility  for  dealing  with  this  would  be  to  perform  a  much  more  complicated  traversal  that  attempts 
to  determine  the  “true”  kind  for  every  bound  variable.  Fortunately,  we  may  deal  with  this  in  a  much  simpler 
way  by  shifting  the  responsibility  for  expanding  a  bound  variable  from  the  abstraction  where  that  variable 
is  bound  to  all  constructors  that  might  consume  that  abstraction. 

In  the  above  example,  /3  changes  the  effective  domain  of  its  arguments  to  S(int);  in  other  words,  it  promises 
only  to  call  them  with  int.  The  expansion  process  for  product  kinds  makes  this  explicit.  In  this  case,  the 
expansion  of  f3  is  A7:(S(int)  — ^  T).  fi(Xa:S  (int). 7  int).  After  substituting  this  expansion  for  /?,  each  of  the 
constructors  above  normalize  to  /3(Ao:S(int).int).  In  general,  the  expansion  that  achieves  this  is: 

R(c,  Ha-.K1.K2)  d=  Xa:K\.  R(ca,  A'2){R(a,  K\)ja) 


Making  this  expansion  part  of  the  substitution  for  free  variables  accounts  for  all  cases  in  which  the  kind  of 
an  abstraction  (and  therefore  its  domain  kind)  is  given  by  some  other  constructor  to  which  the  abstraction 
is  passed  as  an  argument.  The  only  other  way  a  kind  may  be  imposed  on  an  abstraction  is  at  the  top  level. 
Again  recall  Section  2.1  and  consider  the  constructors  A a:T.a  and  Aa:T.int.  These  constructors  should  be 
considered  equivalent  when  compared  as  members  of  kind  S(int)  — >  T,  but  not  as  members  of  T  -4  T. 
Thus,  the  elimination  process  must  be  affected  by  the  kinds  in  which  a  constructor  is  considered  to  lie. 

This  is  neatly  dealt  with  by  (in  addition  to  substituting  expansions  for  free  variables)  expanding  the  entire 
constructor  using  the  kind  to  which  it  belongs.  Thus,  when  considered  as  members  of  S' (int)  ->  T,  the  two 
constructors  above  become  Aa:5(int).((Aa:T.a)int)  and  Aa:S(int).((Aa:T.int)int);  each  of  which  normal¬ 
ize  to  Aa:S(int).int.  However,  when  considered  as  members  of  T  -»  T,  the  two  become  Xa:T.((Xa:T.a)a) 
and  Aa:T\((Aa:T.int)a);  each  of  which  normalizes  to  its  original  form. 


7 


R(c,T) 

def 

C 

R(c,S(c')) 

def 

c' 

R(c,  Jla:K1.K2) 

def 

Xa:Ki.R(cR(a,Ki),K2{R(a,K1)/a}) 
(where  a  is  not  free  in  c  or  A'i) 

i?(c,  Tia:K\.I\2) 

def 

(i?(7TiC,  A'i),  R{it2c,  K2{R(nc,  K\)/a}) 

•Ki  ^  ?  otn  :Kn ) 

def 

{R{an,Kn)/an}  ■  ■  ■  {R{a1,Ki)/al } 

Figure  5:  Expansions 


3.2  The  Elimination  Process 

The  full  definition  of  the  expansion  constructors  and  substitutions  is  given  in  Figure  5.  Using  expansion,  the 
singleton  kind  elimination  proceeds  in  three  steps:  Given  a  constructor  c  considered  to  have  kind  K  under 
assignment  F,  we  first  expand  c,  resulting  in  R(c,K).  Second,  we  substitute  expansions  for  all  free  variables, 
resulting  in  R(c,  Ff){f?(r)}.  Third,  we  erase  any  remaining  singleton  kinds,  resulting  in  (7?(c,  K){R(T)})° . 

We  may  state  the  following  correctness  theorem  for  the  elimination  process,  which  states  that  rewritten 
constructors  will  be  equivalent  if  and  only  if  the  original  constructors  were  equivalent: 

Theorem  1  Suppose  T  V  c\  :  K  and  T  h  c2  :  K.  Then  T  h  ci  =  c2  :  K  if  and  only  if  r°  bs/ 
(R(Cl,K){R(r)})°  =  (i?(c2,iF){i?(r)})°  :  K\ 


The  proof  of  the  correctness  theorem  is  the  subject  of  the  next  section. 


4  Correctness  Proof 


The  previous  section’s  informal  discussion  motivates  why  we  might  expect  the  elimination  process  to  be 
correct.  Unfortunately,  Theorem  1  defies  direct  proof,  because  there  are  too  many  ways  that  a  judgement 
might  be  derived,  and  those  derivations  have  no  particular  structure  in  common.  We  may  see  a  reason 
why  the  proof  is  difficult  by  considering  the  theorem’s  implications.  Since  it  is  easy  to  determine  equality 
of  constructors  in  the  singleton-free  system,  the  theorem  provides  a  simple  test  for  equality:  translate 
constructors  into  the  singleton-free  system  and  check  that  they  are  equal  there.  The  theorem  states  that 
such  a  test  is  sound  and  complete.  However,  this  also  indicates  that  proving  the  theorem  is  at  least  as 
difficult  as  proving  decidability  of  constructor  equality  in  the  full  system. 

The  decidability  of  constructor  equality  has  recently  been  shown  by  Stone  and  Harper  [15].  They  provide  an 
algorithm  for  deciding  constructor  equality  and  prove  that  algorithm  sound  and  complete  using  a  Kripke- 
style  logical  relation.  In  addition  to  settling  the  decidability  question,  they  provide  a  tool  with  which  we 
may  prove  Theorem  1.  One  approach  would  be  to  follow  Stone  and  Harper  and  prove  the  theorem  directly 
using  a  logical  relation.  This  approach  is  not  attractive,  due  to  the  substantial  complexity  of  the  arguments 
involved.  However,  we  may  still  take  advantage  of  their  result. 

The  proof  works  essentially  by  using  Stone  and  Harper’s  algorithm  to  normalize  the  derivations  of  equality 
judgements.  Given  an  derivable  equality  judgement,  we  use  completeness  of  the  algorithm  to  deduce  the 
existence  of  a  derivation  in  the  algorithmic  system.  That  derivation  can  have  only  one  form,  making  it  much 
easier  to  reason  about. 
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The  only-if  portion  of  the  proof  (the  difficult  part)  is  structured  as  follows: 


1.  Suppose  T  h  ci  =  C2  :  K. 

2.  Prove  that  constructors  are  equal  to  their  expansions;  that  is,  T  h  q  =  R(ci,  K){R(T)}  :  K  and 
rbco  =  R(c'2,  K)\R(r)  \  :  K.  By  symmetry  and  transitivity  it  follows  that  the  expansions  are  equal: 
T  b  R(Cl,K){R(T)}  =  R(c2,K){R(T)}  :  K. 

3.  By  algorithmic  completeness,  deduce  that  there  exists  a  derivation  of  the  algorithmic  judgement  P  b 
R(ci,K){R(r)}  :  K  &  r  b  R(c2,K){R(T)}  :  K. 

4.  Prove  that  singleton  reduction  (the  algorithmic  counterpart  of  the  singleton  elimination  rule)  is  not 
used  in  the  algorithmic  derivation.  This  step  is  the  heart  of  the  proof. 

5.  By  algorithmic  soundness,  deduce  that  there  exists  a  derivation  of  P  b  R(cj ,  /T ) { 7? ( P) }  = 
R(c2,  A'){i?(r)}  :  K  in  which  the  singleton  elimination  rule  (Rule  34)  is  not  used  (except  within 
subderivations  for  kinding  or  subkinding  judgements). 

6.  Prove  that  therefore  there  exists  a  derivation  of  r°  bs/  (R(ci ,  K){R(T')})°  =  (R(c2,K){R(T)})°  :  K°. 
Once  the  only-if  portion  is  proved,  the  converse  is  easily  established.  Its  proof  is  discussed  in  Section  4.4. 

4.1  Equality  of  expansions 

We  begin  by  establishing  that  well-formed  constructors  are  equal  to  their  expansions.  We  first  state  three 
propositions  giving  some  properties  of  the.inference  system  (these  are  proven  in  Stone  and  Harper  [15]),  and 
then  prove  equality  of  expansions  by  a  series  of  three  lemmas. 

Proposition  2  (Regularity) 

1.  IfT\-J  then  T  b  ok. 

2.  If  T  c:  K  then  T  \~  K  kind. 

3.  IfT\~C\=c2:K  then  r  b  c\  :  K  and  V  \-  c2  :  K. 

Proposition  3 

1.  (Weakening)  IfY\,Tz  b  J  and  Ti, T2, T3  b  ok  then  Ti, T2, T3  b  J. 

2.  (Reflexivity)  If  T  b  c  :  K  then  T  b  c  =  c:  K. 

3.  (Kind  reflexivity)  IfT\-K  kind  then  r  b  K  =  K. 

4 ■  (Subkinding  reflexivity)  IfThKi  —  K2  then  r  b  K\  <  K2. 

5.  (Assignment  reflexivity)  If  T  b  ok  then  b  P  =  T. 

Proposition  4  (Substitution)  Suppose  T  Ci  =  c2  :  K.  Then: 

1.  If  T, a:K, T'  b  =  K2  then  r,(r'{ci/a})  b  Ki{ci/a}  =  K2{c2/a}. 

2.  If  P,  a:K,  T'  b  cj  =  c'2  :  K'  then  r,(r'{ci/a})  b  c'^d/a}  =  c'2{c2/a}  :  K'{c i/a}. 
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Lemma  5  R(c,  K){c' /a]  =  R(c{c'/a},  K{c'/a}) 

Proof 

By  induction  on  A'. 


Lemma  6  If  T  b  c  :  K  then  F  b  c  =  R(c,  K)  :  K. 

Proof 

By  induction  on  K. 

Case  1:  Suppose  K  =  T.  Then  R(c,  K)  =  c  and  by  reflexivity,  Fhc  =  c:F. 

Case  2:  Suppose  K  =  S(c').  Then  R(c,K )  =  c'.  By  assumption,  The:  S(c'),  so  by  singleton 

elimination  (Rule  34),  F  b  c  =  c'  :  T.  Then  by  symmetry  and  Rule  35,  T  b  c  =  c'  :  S(c'). 

Case  3:  Suppose  K  =  Ha:Kx-Ko.  Choose  a  so  that  it  does  not  appear  in  the  domain  of  T  or 

free  in  c.  Then  R(c,K)  =  \a:K\.  R(c R(a,  Ki),  K2{R(a,  K\)/a}).  Invoking  Lemma  5,  R(c)  K)  = 

Xa:Ki.  R(ca,  K2){R(a,  K\)/a). 

By  regularity  and  inversion,  F  b  K\  kind,  so  by  weakening,  r,a:A'i  b  c  :  Ua-.K1.K2-  Thus  T,  a:I(\  b 
ca  :  K2.  By  induction,  r,a:A'i  b  ca  =  R(ca,  K2)  :  K2.  Also  by  induction,  F,a:A'i  I-  a  =  R(a,Ki)  : 
Ki.  Then,  by  weakening  and  substitution,  T,  a:A'i  h  ca  =  R(ca,  K2){R(a,  Ki)/a}  :  A2.  By  product 
introduction  (Rule  40),  T  b  \a:K\.ca  =  R(c,K)  :  Ha-.K1.K2- 

It  remains  to  show  that  F  h  c  =  \a:K\.ca  :  IlarA'i ,A'2.  This  may  be  shown  using  functionality  (Rule 
30)  and  beta  reduction  (Rule  29). 

Case  4:  Suppose  K  =  Jla-.K1.K2.  Choose  a  so  that  it  does  not  appear  in  the  domain  of  F  or  free 
in  c.  Then  R(c,K)  =  (R(Tric,Ki),R(-K2C,K2{R(nic,Ki)/a}).  Note  that  by  regularity  and  inversion, 
T,a:Kx  h  AT2  kind. 

By  sum  elimination  (Rule  22),  F  h  -Kic  :  Kx,  so  by  induction,  T  h  -kxc  =  R{-nxc,Ki)  :  K\. 
Also  by  sum  elimination  (Rule  23),  T  I-  7 r2c  :  A'2{7Tic/a}.  By  reflexivity  and  substitution,  T  h 
Ar2{7ric/a}  =  AT2{A(7TiC,  A'i)/a},  and  thus  T  b  7 r2c  :  A'2{A(7TiC,  Kx)/a}.  Then,  by  induction, 
T  b  7 r2c  =  A(7t2c,  AT2{A(7riC, Kx)/a})  :  A'2{A(7Tic, A'i)/q}.  By  sum  introduction  (Rule  44)  and  sym¬ 
metry,  T  b  (71-jc, 7r2c)  =  R(c,K)  :  Jla-.Kx.K2- 

It  remains  to  show  that  Fbc  =  {-k\ c,  7 r2c)  :  Jla-.K1.K2-  This  may  be  shown  using  functionality  (Rule  31) 
and  beta  reduction  (Rules  32  and  33). 


Lemma  7  If  T\-  c:  K  then  T  b  c  =  R(c,  K){R{T)}  :  K. 

Proof 

The  proof  is  by  induction  on  T'  that  if  T,r'  b  c  :  K  then  r,F  b  c  =  R(c,  K){R(T')}  :  K.  For  empty 
T',  use  Lemma  6.  In  the  inductive  case,  suppose  T'  =  a:K' ,T" .  Then  R(T')  =  R(T"){R(a, K')/a). 
By  induction,  T,a:K',T"  b  c  =  R(c,  A'){A(r")}  :  K.  Since  T,q  :  K',T"  b  a  :  AT',  by  Lemma  6  it 
follows  that  r,a:A'',r"  b  a  =  R(a,K’)  :  K'.  By  weakening  and  substitution,  T,a:K',T"  b  c{a/a }  = 
R(c,  K){R(r")}{R(a,  K')/a}  :  K.  That  is,  T,  T  b  c  =  R(c,  K){ R{V)}  :  K. 


Corollary  8  IfT  b  cx  =  c2  :  K  then  T  b  R(Cl,  AT){A(r)}  =  R{c2,  K){R{T)}  :  K 

Proof 

By  regularity,  Lemma  7,  symmetry  and  transitivity. 
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4.2  The  Decision  Algorithm 


Stone  and  Harper’s  decision  algorithm  for  constructor  equivalence  is  given  in  Figure  6.  This  algorithm  is 
unusual  in  that  it  is  a  six  place  algorithm;  it  maintains  two  assignments  and  two  kinds.  This  allows  the  two 
halves  of  the  algorithm  to  operate  independently,  which  is  critical  to  Stone  and  Harper’s  proof  and  to  this 
one.2  In  common  usage,  the  two  assignments  and  the  two  kinds  are  equivalent  (but  often  not  identical).  The 
critical  singleton  reduction  rule  appears  as  the  ninth  clause. 

The  algorithm  works  as  follows: 


1.  The  algorithm  is  presented  with  a  query  of  the  form  T  b  c  :  K  O  T'  b  c'  :  K' .  When  b  F  =  T'  and 
r  h  K  =  K',  this  determines  whether  T  b  c  =  c'  :  K  is  derivable. 

2.  The  constructor  equivalence  rules  add  appropriate  elimination  forms  (applications  or  projections)  to 
the  constructors  being  compared  in  order  to  drive  them  down  to  kind  T  or  a  singleton  kind.  Then 
those  constructors  are  reduced  to  weak  head  normal  form. 

3.  Elimination  contexts  ( E )  are  defined  in  the  usual  manner,  as  shown  below.  A  constructor  of  the  form 
E[a)  is  referred  to  as  a  path,  and  a  is  called  the  head  of  the  path.  We  will  often  use  the  metavariable 
p  to  range  over  paths. 

E  ::=  []  |  Ec  \  /k\E  |  tt 2E 

A  constructor  is  reduced  to  weak  head  normal  form  by  alternating  beta  reductions  and  singleton 
reductions.  Beta  reduction  of  a  constructor  c  is  performed  by  placing  it  in  the  form  E[c\  where  c  is 
a  beta  redex,  and  reducing  to  E[c'\  where  c'  is  the  corresponding  contractum.  Repetition  of  this  will 
ultimately  result  in  a  path  (if  the  constructor  is  well-formed,  which  is  assumed) . 

4.  Singleton  reduction  of  a  path  p  is  performed  by  determining  its  natural  kind,  and  replacing  p  with  c 
whenever  p’s  natural  kind  is  some  singleton  kind  S(c).  (Formally,  the  algorithm  adds  an  evaluation 
context,  reducing  E\p]  to  E[c]  when  p  has  natural  kind  c,  but  E  will  be  empty  when  E[p\  is  well-formed.) 

Note  that  the  natural  kind  of  a  path  is  not  a  principal  kind.  For  example,  if  T(a)  =  T  then  the  natural 
kind  of  a  is  T,  but  a  has  principal  kind  S(a). 

5.  When  no  more  beta  or  singleton  reductions  apply,  the  algorithm  compares  the  two  paths,  checking 
that  they  have  the  same  head  variable  and  the  same  series  of  eliminations.  When  checking  that  two 
applications  are  the  same,  the  main  algorithm  is  reinvoked  to  determine  whether  the  arguments  are 
equal. 


We  may  state  the  following  correctness  theorem  for  the  algorithm: 

Theorem  9  (Stone-Harper) 

1.  (Completeness)  IfT  t-  c\  =  C2  :  K  then  T  b  c\  :  K  T  h  C2  :  K . 

2.  (Soundness)  Suppose  F  T  =  T',  T  b  K  =  K' ,  T  b  c\  :  K  and  T'  b  c2  :  K'.  Then  if  T  Y  ci  :  K  T'  \- 
C2  :  K'  then  T  b  cj  =  c2  :  K. 


Corollary  10  IfT  b  Cl  =  c2  :  K  then  T  b  R(Cl,  K){R(T)}  :K  &T  b  R(c2,  K){R(T)}  :  K. 


There  is  one  minor  difference  between  this  algorithm  and  the  one  presented  in  Stone  and  Harper.  When 
checking  constructor  equivalence  at  a  singleton  kind,  Stone  and  Harper’s  algorithm  immediately  succeeds, 

2Stone  and  Harper  also  prove  their  six-place  algorithm  equivalent  to  a  conventional  four-place  algorithm,  which  is  preferable 
in  practice. 
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if  T  b  p  f  Eo:  A'i  .K-2 
if  T  b  p  t  Eo:  A'i  K2 
if  n-ptnQ:A',.A'2 


Natural  kind  extraction 

That  T(a) 

n-6tr 
r  h  nip  t  a'i 

r  I-  7T2p  f  A'2{7TiP/q} 

r  i-  pc  t  a2{c/q} 

Weak  head  reduction 

T  h  £[(Aa:A'.c)c']  — >•  E[c{c' /a}\ 

T  b  E[ni (ci, c2>]  — ¥  A[ci] 

T  b  A[7T2(Cl,C2)j  — >  f?[c2j 
r  I-  E\p]  — >•  E[c ] 

Weak  head  normalization 

rhc|c' 

rhc^c 

Algorithmic  constructor  equivalence 

Tj  H  ci  :  T  T2  b  c2  :  T 

Ti  h  ci  :  5(c'i)  «•  r2  I-  c2  :  S(c'2) 

Ti  h  ci  :  IlaiA'i.A';  T2  b  c2  :  IIa:A2.A^ 
Ti  h  ci  :  Ea:A'i ,K[  <=>  T2  b  c2  :  Ea:A'2.AT2 


Algorithmic  path  equivalence 

Ti  h  a  t  Fi(a)  <->  F2  b  a  t  r2(a) 
ri  b  61 1  t  r2  b  b2  f  T 

Ti  h  pici  f  K[{c\/a)  r2  b  p2c2  t  K'2{c2/a} 

Tl  I-  7T1P1  t  A'i  ff  r2  b  7fip2  t  K2 
Ti  b  7T2pi  t  A'l{7npi/a}  <-» 
r2  h  7 r2p2  f  A'2{7rip2/a} 


if  F  b  p  t  5(c)  (singleton  reduction) 


if  bi  —  b2 

if  Ti  (-  p,  t  na:A'i  ,K[  «4  T2  b  p2  |  na:K2.K'2 

and  Fi  1-  ci  :  A'i  <=>  T2  I-  c2  :  A”2 

if  Ti  I-  pi  t  Ea:A'i  .A'I  ff  T2  b  p2  t  Ea:K2.K'2 

if  Ti  h  pi  t  Eq:A'i  .A'I  ft  r2  I-  p2  t  T,a:K2.K'2 


if  F  f-  c  — >  c"  and  F  I-  c"  1)  c' 
otherwise 


if  Ti  h  ci  (j.  pi  and  F2  b  c2  1J.  p2 

and  Fi  h  pi  t  T  f4  r2  h  p2  |  T 

if  Fi  I-  ci  J)  pi  and  T2  b  c2  -I)  p2 

and  Ti  b  pi  t  T  ff  T2  b  p2  f  T 

if  r,,Q:A'i  h  Cl  a:  K[<*  r  2,a:K2  b  c2q  :  A2 

ri  h  iriCi  :  A'i  O  r2  b  7Tic2  :  K2 

and  Ti  I-  7r2ci  :  A'!{7rici/o}  O-  T2  b  7r2c2  :  A'2{7r2c2/a} 


Figure  6:  Constructor  Equivalence  Algorithm 


while  the  algorithm  here  behaves  the  same  as  when  comparing  at  kind  T.  However,  Stone  and  Harper’s  proof 
goes  through  in  almost  exactly  the  same  way,  with  only  a  change  to  one  subcase  of  their  “Main  Lemma.” 
Their  algorithm  is  more  efficient,  since  it  terminates  early  in  some  cases,  but  for  our  purposes  we  are  not 
concerned  with  efficiency.  The  advantage  of  this  version  of  the  algorithm  is  that  we  may  obtain  the  stronger 
version  of  soundness  given  in  Theorem  12: 


Definition  11  A  derivation  is  mostly  free  of  singleton  elimination  if  every  use  of  singleton  elimination 
(Rule  34)  in  that  derivation  lies  within  a  subderivation  whose  root  is  a  constructor  formation  or  subkinding 
judgement. 


Theorem  12  (Singleton-free  soundness)  Suppose  b  T  =  T',  Y  b  K  =  K',  F  b  ci  :  K  and  T'  b  c2  :  K' . 
Then  if  F  b  C\  :  K  T'  b  c2  :  K'  without  using  singleton  reduction  then  there  exists  a  derivation  of 
r  b  Ci  =  c2  :  K  that  is  mostly  free  of  singleton  elimination. 

Proof 

By  inspection  of  Harper  and  Stone’s  proof. 
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Theorem  12  fails  with  the  more  efficient  version  of  the  algorithm  because  when  Ti  I-  c\  :  S{c\  )  F'2  b  c2  : 

S(c'2),  the  soundness  proof  must  use  singleton  elimination  to  show  that  c\  and  c[  are  equal  and  that  c2  and 
c'2  are  equal,  in  the  course  of  showing  that  c\  and  c2  are  equal. 

In  the  next  section  we  will  show  that  the  algorithmic  derivation  shown  to  exist  by  Corollary  10  is  free  of 
singleton  reduction.  Then  Theorem  12  will  permit  us  to  conclude  that  the  corresponding  derivation  in  the 
declarative  system  is  mostly  free  of  singleton  elimination.  A  derivation  mostly  free  of  singleton  elimination 
uses  singleton  elimination  in  no  significant  manner;  any  residual  uses  (within  constructor  formation  or 
subkinding)  will  be  removed  be  singleton  erasure  in  Section  4.4. 


4.3  Absence  of  singleton  reduction 

The  heart  of  the  proof  is  to  show  that  singleton  reduction  will  not  be  used  in  a  derivation  of  algorithmic 
equivalence  of  expanded  constructors.  It  is  here  that  we  really  show  that  expansion  works  to  eliminate 
singleton  kinds:  if  the  algorithm  is  able  to  deduce  that  the  two  expanded  terms  are  equal  without  using 
singleton  reduction,  then  we  have  obviated  the  need  for  singleton  kinds. 

The  proof  works  by  defining  a  condition,  called  protectedness,  that  is  satisfied  by  expanded  constructors, 
that  rules  out  any  need  for  singleton  reduction,  and  that  is  preserved  by  the  algorithm.  First  we  make  some 
preliminary  definitions: 


Definition  13 

•  Two  kinds  K  and  K'  are  similar  (written  K  fa  K')  if  they  are  the  same  modulo  the  contents  of  singleton 
kinds.  That  is,  similarity  is  the  least  congruence  such  that  S(c)  ~  S(c')  for  any  constructors  c  and  c' . 

•  Two  assignments  F  and  V  are  similar  (written  T  ss  V)  if  they  bind  the  same  variables  in  the  same 
order,  and  ifT(a)  fa  F'(q)  for  all  a  G  Dom(F). 


Note  that  a  well-formed  kind  can  be  similar  to  an  ill-formed  kind,  and  likewise  for  assignments.  When  two 
kinds  or  two  assignments  are  similar,  they  are  said  to  have  the  same  shape.  For  the  proof  of  the  absence  of 
singleton  reductions,  we  will  be  able  to  disregard  the  actual  kinds  and  assignments  being  used  and  consider 
only  their  shapes;  this  will  simplify  the  proof  considerably.  This  works  because  the  contents  of  singleton 
kinds  are  only  pertinent  to  singleton  reduction,  which  we  are  showing  never  takes  place. 

We  also  define  contexts  ( C )  as  shown  below.  Note  that  contexts  are  defined  to  have  exactly  one  hole,  and 
note  also  that  evaluation  contexts  are  a  subclass  of  contexts.  As  we  are  not  concerned  with  the  contents 
of  singleton  kinds,  there  is  no  need  for  contexts  to  account  for  constructors  appearing  within  the  domain 
kind  of  a  lambda  abstraction.  Instantiation  of  a  context  is  defined  in  the  usual  manner;  in  particular,  it  is 
permissible  for  instantiation  to  capture  free  variables. 

C  ::=  []  |  \a\K.C  \C  c\cC  \  (C,c)  \  (c,C)  |  TiqC  |  n2C 

Finally,  we  define  weak  head  reduction  without  a  context  in  the  usual  manner  (that  is,  E[(Xa:K.c)c']  — > 
E[c{c' /a}]  and  E[ni{ci,  C2)]  — t  E[ci}).  Note  that  if  c\  — >  c2  then  T  h  C\  — o>  (recall  algorithmic  weak 
head  reduction). 

We  are  now  ready  to  define  the  protectedness  property.  The  intuition  is  that  a  constructor  is  protected  if  every 
variable  in  that  constructor  appears  in  an  evaluation  context  that  drives  it  down  to  kind  T.  Consequently  no 
path  will  have  a  singleton  natural  kind  and  singleton  reduction  will  not  take  place.  In  order  to  ensure  that 
protectedness  is  preserved  by  the  algorithm,  we  strengthen  the  condition  so  that  the  evaluation  context  that 
drives  a  variable  to  kind  T  must  be  appropriate.  An  evaluation  context  is  appropriate  if,  for  every  application 
appearing  in  that  context,  the  argument  constructor  is  protected  (and,  moreover,  is  still  protected  when 
driven  to  kind  T  and  weak  head  normalized). 
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Definition  14  Suppose  Y  is  an  assignment  and  K  is  a  kind.  The  unary  relations  T-protected,  A'-r* 
appropriate,  and  A-r-protected  are  the  least  relations  such  that: 

1.  Protectedness 

•  A  constructor  c  is  Y -protected  if  whenever  c  =  C[a]  (where  a  6  Dom(r)  and  C  does  not  capture 
a),  there  exist  C'  and  E  such  that  C[]  =  C"[A[]],  and  A  [a]  is  T  -T -appropriate. 

2.  Appropriateness 

•  A  path  a  is  K-Y -appropriate  if  T(a)  «  K. 

•  A  path  pc  is  K2-Y -appropriate  if  p  is  (Yla:Ki  .Ko)-Y -appropriate  and  c  is  K\-Y -protected. 

•  A  path  H\p  is  K\-Y- appropriate  if  p  is  (£a:Ai .  A2)-r -appropriate. 

•  A  path  n2P  is  K2-Y -appropriate  if  p  is  (Ect:  K 1.  K  2) -Y- appropriate. 

3.  Protectedness  relative  to  a  kind 

•  A  constructor  c  is  T -Y -protected  if  c  is  F -protected. 

•  A  constructor  c  is  S(c")-Y -protected  if  c  is  Y  -protected. 

•  A  lambda  abstraction  Xa:K[.c  is  (Ua:Ki .K-2)-Y -protected  if  c  is  A^-(r ,a:K\) -protected. 

•  A  pair  (c\  ,0-2)  is  (Sa:A'x.A'2)-r -protected  if  c\  is  -Y -protected  and  c2  is  K2-Y -protected. 


Note  that  the  relations  being  defined  appear  only  positively  above,  so  Definition  14  is  a  valid  inductive 
definition.  Also,  note  that  these  definitions  are  concerned  with  kinds  only  up  to  similarity,  and  for  this 
reason  the  definition  can  safely  ignore  the  presence  of  free  variables  in  kinds  and  assignments.  We  may 
immediately  observe  a  number  of  easy  structural  facts  about  these  definitions: 


Lemma  15 

1.  Suppose  r  ss  r'  and  K  «  K' ,  then 

•  c  is  Y -protected  if  and  only  if  c  is  Y' -protected, 

•  c  is  K -Y -protected  if  and  only  if  c  is  K' -Y' -protected,  and 

•  p  is  K -Y -appropriate  if  and  only  if  p  is  K' -Y' -appropriate. 

2.  If  c  is  Y -protected  then  Xa:K.c,  -K\c,  and  7 r2c  are  Y -protected. 

3.  If  Ci  and  c2  are  T -protected  then  cic2  an<f{ci,c2)  are  Y -protected. 

4.  If  E[Xa:K.c]  is  Y -protected  then  c  is  Y -protected. 

5.  If  A[cic2]  is  Y -protected  then  c2  is  Y -protected. 

6.  If  E[{c\ ,  c2)]  is  T -protected,  then  C\  and  c2  are  Y -protected. 

7.  Any  constructor  is  e-protected. 

8.  If  c  is  (r  \  a)  -protected  and  a  is  not  free  in  c,  then  c  is  F -protected. 

9.  If  c  is  Y -protected  then  c  is  (r  \  a) -protected. 

10.  If  c  is  K-Y -protected  then  c  is  Y -protected. 
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Proof 


Parts  1-3  and  7-10  are  by  inspection.  For  part  4  observe  that  any  path  with  its  head  in  c  lies  entirely 
within  c.  Likewise  for  part  5  observe  that  any  path  with  its  head  in  c2  lies  entirely  within  c2,  and  similarly 
for  part  6. 


In  order  to  show  that  protectedness  is  preserved  by  the  algorithm,  we  need  to  show  that  it  is  preserved  by 
weak  head  reduction.  To  show  this  we  must  first  establish  a  substitution  lemma.  To  do  so,  we  will  have 
•  need  of  the  fact  that  any  subexpression  of  a  substitution  results  from  one  or  the  other  participant  in  the 

substitution: 


Lemma  16  If  C[c]  =  c\  {02/0}  and  C  does  not  capture  a  then  either 


•  there  exist  contexts  C\  and  C2  such  that  ci  =  C\[a],  c2  =  <72[c]  and  C[\  =  (Ci{c2/a})[C2[]]  (that  is, 
c  results  from  c-2 ),  or 

•  there  exists  a  context  C\  and  a  constructor  d  such  that  C\  =  C\  [(:'} ,  c  =  c'{c2/a},  and  C[]  = 
(Ci{c2/a})[]  (that  is,  c  results  from,  some  c'  in  c\). 

Proof 

By  induction  on  C\ .  If  C  is  empty  then  the  second  case  is  satisfied  by  C\  [  ]  =  [  ]  and  c'  =  C\.  Therefore 
assume  C  is  nonempty. 

Case  1:  Suppose  Cj  =  a.  Then  the  first  case  is  satisfied  by  C\[\  =  []  and  C2[]  =  C[], 

Case  2:  Suppose  c\  =  /3  where  j3  ^  a.  Then  C[c ]  =  ,6,  which  is  impossible  since  C  is  nonempty. 

Case  3:  Suppose  C\  =  A /3:K.c[.  Then  C[]  =  A^:(K{c2/a}).(C"[]).  Since  C  does  not  capture  a,  it 
follows  that  f3  ^  a.  Note  that  C'[c\  =  Ci{c2/a}.  We  proceed  by  case  analysis  using  the  induction 
hypothesis  on  C'[c\: 

Subcase  3.1:  Suppose  there  exist  contexts  C[  and  C2  such  that  c[  =  C[[a],  c2  =  C2[c]  and  C'[]  = 
(C[ {c2/a})[C2[]].  Then  the  first  case  is  satisfied  by  Ci[]  =  X/3:K.(C[ []). 

Subcase  3.2:  Suppose  there  exists  a  context  C[  and  a  constructor  c'  such  that  c[  =  C[  [c'],  c  =  c'{c2/a}, 
and  C'[]  =  (C[ {c2/a})[].  Then  the  second  case  is  satisfied  by  Ci[]  =  X0:K.(C'1  []). 

Case  4:  Suppose  Ci  =  c[c".  The  remaining  cases  are  similar.  Then  C[]  is  either  (C"[])(c'1'{c2/a})  or 
(ci(c2 /c*:})(C,[]).  Suppose  the  former;  the  latter  is  similar.  Note  that  C'[c ]  =  c'1{c2/q}.  We  proceed  by 
case  analysis  using  the  induction  hypothesis  on  C'[c]: 

Subcase  4.1:  Suppose  there  exist  contexts  C[  and  C2  such  that  c[  =  C[[a],  c2  =  C'2 [c]  and  C'[\  = 
(C’({c2/a})[C2[]].  Then  the  first  case  is  satisfied  by  CT [ ]  =  (C"  [])c'/. 

Subcase  4.2:  Suppose  there  exists  a  context  C[  and  a  constructor  c'  such  that  c\  =  C[ [c'j,  c  =  c'{c2/a}, 
and  C"[]  =  {C[{c2 / a})[\.  Then  the  second  case  is  satisfied  by  C\[ ]  =  (C[[])c". 


Lemma  17  (Substitution) 

1.  If  Ci  is  T-protected  and  c2  is  T -protected,  then  ci{c2/a}  is  T -protected. 

2.  If  p  is  K-T -appropriate,  c2  is  T-protected  and  a  is  not  the  head  of  p,  then  p{c2 / a}  is  K-T -appropriate. 

3.  If  ci  is  K -T -protected  and  c2  is  T-protected,  then  ci{c2/a}  is  K-T -protected. 

Proof 

The  proof  is  by  induction  on  the  derivation  of  the  first  assumption  (i.e.,  ci  being  T-protected,  p  being 
TT-T-appropriate,  or  ci  being  fL-r-protected,  respectively.)  We  show  part  1;  the  other  two  parts  are  easy 
using  an  inner  induction  on  K. 
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We  may  assume,  without  loss  of  generality,  that  a  g  Dom(r),  if  necessary  by  replacing  a  with  a  fresh 
variable  and  re-establishing  protectedness  of  c\  using  Lemma  15  (parts  8  and  9).  Suppose  C[0]  = 
ci{c2/a},  [i  €  Dom(r),  and  C  does  not  capture  3.  By  assumption,  a  ^  fi,  so  we  may  alpha-vary  C{(3]  as 
necessary  to  ensure  that  C  does  not  capture  a.  We  proceed  by  case  analysis  using  Lemma  16: 

Case  1:  Suppose  c\  =  Cj  [a] ,  c2  =  C2 [8\  and  C{]  =  (C'i{c2/q})[C,2[]].  Since  c2  is  T-protected,  there 
exists  C2  and  E  such  that  C2[]  =  and  E[(i]  is  T-T-appropriate.  Then  C[\  =  C'[E[]]  where  C'[] 

is  (C'1{c2/a})[^[]]. 

Case  2:  Suppose  ci  =  Ci[c'],  8  =  c'{c2/a},  C[]  =  (C'i{c2/q})[].  The  constructor  e'  must  be  either  ¥ 

a  or  /?.  In  the  former  case,  c2  =  /5,  and  since  c2  is  T-protected,  it  follows  that  protection  is  satisfied  by 
setting  C'  to  C  and  E  to  empty.  Therefore,  assume  c'  =  (3. 

Then  c.\  is  of  the  form  C\  [8\  where  C\  does  not  capture  8  (since  C  does  not).  Since  ci  is  T-protected,  there  • 

must  exist  C[  and  E  such  that  Ci[]  =  C[  [E[]]  and  E{8)  is  T-T-appropriate.  By  induction,  E[/3]{c2/a} 
is  T-T-appropriate.  Then  C[\  =  C'[E'[]]  where  C'[\  is  (C’{{c2/q})[]  and  E'  is  (E{c2/a})[]. 


Corollary  18  If  c\  is  T-protected  and  c\  — >  c2  then  c2  is  T-protected. 

Proof 

We  prove  that  if  Eout[ci]  is  T-protected  and  c\  — >  c2  then  c2  is  T-protected.  The  result  follows  by  setting 
,Eout  =  [].  Let  Ci  be  E[c\]  and  c2  be  E[c'}].  where  c\  is  a  redex  and  c2  is  its  contractum.  The  proof  is  by 
induction  on  E. 

Case  1:  Suppose  E  =  []  and  c\  =  ( \a:K.c)c By  Lemma  15  (parts  4  and  5),  c  and  c'  are  T-protected. 
By  Lemma  17,  c{c' /a}  is  T-protected. 

Case  2:  Suppose  E  =  []  and  c\  =  ^i{ci,c2).  By  Lemma  15  (part  6),  c,  is  T-protected. 

Case  3:  Suppose  E  =  E'c.  Then  E'[c[]  — >  E'[c'2}  so,  by  induction,  E'[c'2}  is  T-protected.  By  Lemma 
15  (part  5),  c  is  T-protected,  so  E'[c'2]c  is  T-protected. 

Case  4:  Suppose  E  =  itiE'.  Then  E'[df\  — >  E'[c2]  so,  by  induction,  E'[c2]  is  T-protected.  Thus 
niE'[c2]  is  T-protected. 


We  will  also  need  a  technical  lemma  regarding  natural  kind  extraction: 


Lemma  19 

1.  If  p  is  K-T- appropriate  and  T  p  f  K'  then  K  «  K‘ . 

2.  If  Ti  H  pi  t  Ki  T2  b  p2  f  K2  then  Tt  1-  pi  f  and  T2  h  p2  t  E'2. 

Proof 

Part  1  is  by  induction  on  K.  Part  2  is  by  induction  on  the  derivation. 

We  are  now  ready  to  prove  the  main  lemma: 

Lemma  20  (Main  Lemma) 

1.  If  T]  h  ci  :  A'i  <£•  T2  h  c2  :  K2  is  derivable,  ci  — c[,  c2  — >*  c2,  c\  is  Ki -Ti -protected,  and  c2  is 

K 2 -T 2 -protected,  then  the  derivation  does  not  use  singleton  reduction.  9 

2.  IfT\  b  pi  f  K\  T2  h  p2  t  is  derivable,  ci  is  K\-T \- appropriate,  and  c2  is  /v2  -T 2- appropriate, 
then  the  derivation  does  not  use  singleton  reduction. 
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Proof 

By  induction  on  the  algorithmic  derivation. 

Case  1:  Suppose  the  derivation’s  root  is  Id  b  cx  :  T  <£>  T2  b  c2  :  T.  Then  Ti  b  ci  -U-  px,  T2  b  c2  -Ij-  p2, 
and  Ti  h  pi  f  T  o  T2  h  P2  t  By  the  definitions  of  weak  head  normalization  and  reduction,  it  follows 
either  that  ci  — »*  pi  or  that  ci  — >*  E\j>[\,  Ti  b  p\  t  S(c"),  and  Ti  I-  E[c"\  1J-  px.  In  either  case  ci 
beta  weak  head  reduces  to  a  path,  so  let  ci  — >*  p.  Since  weak  head  reduction  is  deterministic  and  p 
is  in  (beta)  weak  head  normal  form,  it  follows  that  c\  — >*  p.  By  assumption  c[  is  Id  -protected,  so  by 
Corollary  18,  p  is  Ti-protected. 

Suppose  p  singleton  reduces  and  let  p  be  E\a].  Then  there  exist  Ex  and  E2  such  that  E[]  —  A]  [iT2 [ ]] 
and  Ti  b  E2 [a]  f  S(c).  Since  p  is  Ti-protected,  there  also  exist  E\  and  E'2  such  that  E[]  =  -EJ [T?d [ ]] 
£  and  E'2[a]  is  T-Ti-appropriate.  One  of  E2 [a]  and  E'2[a\  must  be  a  subpath  of  the  other  and  both  cases 

lead  to  a  contradiction.  If  E'2\a]  is  a  subpath  of  E2[a]  then  Id  b  E2[a]  f  K  for  some  K,  but  K  &  T  by 
Lemma  19  so  it  cannot  be  the  case  that  Ti  b  E2 [a]  |  S(c).  If  E2[a\  is  a  subpath  of  E2[a]  then  E2 [a] 
is  K-Y\ -appropriate  for  some  K,  but  K  «  S(c)  by  Lemma  19  so  it  cannot  be  the  case  that  E2[a]  is 
T -T-appropriate . 

Hence  p  does  not  singleton  reduce,  and  consequently  ci  — >*  pi  and  pi  is  Id -protected.  Again  let  pi 
be  E[a\.  Since  pi  is  rx -protected,  there  exist  E\  and  E>  such  that  E{]  =  E\  [£d[]]  and  E2 [a]  is  T-T x- 
appropriate.  Since  Ti  b  Ex [T?2 [«]]  «  To  b  p2  t  A  by  Lemma  19  (part  1)  Lj  h  Ei[E2[a\]  f  T,  and 

therefore  that  rx  b  E2  [a]  f  K  for  some  K.  By  Lemma  19  (part  2),  K  rs  T,  which  means  that  E\  must  be 
empty.  Therefore,  pi  is  T-Tx -appropriate.  Similarly  c2  — >*  p2  and  p2  is  T-IVappropriate.  The  result 
follows  by  induction. 

Case  2:  Suppose  the  derivation’s  root  is  Id  b  cx  :  S(c'j)  «  T2  h  c2  :  S(c2).  This  case  is  identical  to 
the  previous  case. 

Case  3:  Suppose  the  derivation’s  root  is  Id  b  Ci  :  IIa:Ku.Ki2  <£>  T2  b  c2  :  na:K2i.K22 •  By  assump¬ 
tion,  ci  — >*  c'i  and  c'i  is  of  the  form  Xa:K'll.c''  where  c"  is  Ai2-(Li ,  a:  Adi  (-protected.  Then  c\a  — *■*  c”. 
Similarly,  c2a  — >*  c2  for  some  K22-(T2, a: A'2i (-protected  c2.  The  result  follows  by  induction. 

Case  4:  Suppose  the  derivation’s  root  is  Id  b  Ci  :  E a:Kn.Ki2  T2  b  c2  :  Y,a:K2i.K22.  By  assump¬ 
tion,  ci  — E  c'i  and  c[  is  of  the  form  (cn,ci2)  where  cn  is  An-Li -protected  and  C12  is  Ad2-Ti -protected. 
Then  7TiCi  — »*  Cn  and  n2Ci  — >*  cx2.  Since  Ki2  ss  Ad2{7i"iCi/a},  it  follows  that  C12  is  (Ai2{7riCi/a}(- 
rx -protected.  Similarly,  7TiC2  — >*  c2i  and  7r2c2  — >*  c22  for  some  Adi-IVprotected  c2i  and  some 
( A'22 {tti c2 /a:}  (-Id-protected  c22.  The  result  follows  by  induction. 

Case  5:  Suppose  the  derivation’s  root  is  Id  b  a  t  Id  (a)  T2  b  a  |  r2(a).  The  result  follows  trivially. 
Case  6:  Suppose  the  derivation’s  root  is  T 1  b  6  |T  T2  h  b  ^  T.  The  result  follows  trivially. 

Case  7:  Suppose  the  derivation’s  root  is  Ti  b  picx  f  K\2{ci/a }  <->•  T2  b  p2c2  f  A22{c2/a}.  Then 
Id  b  pi  t  na:A'n.A'i2  T2  b  p2  |  na:A2i.A22  and  Tx  b  cx  :  Ku  o  r2  b  c2  :  K2i .  Since  (invoking 
Lemma  15  (part  1)(  picx  is  Ai2-Id -appropriate,  it  follows  that  px  is  ( nocA'd  •  Ai  2  )-L  1 -appropriate  and 
ci  is  Ad-Id -protected,  for  some  K'n.  However,  by  Lemma  19  it  follows  that  Adi  ~  Ad-  Thus,  px  is 
(na:An.Ai2)-ri-appropriate  and  cx  is  Adi -Id -protected.  Similarly,  p2  is  (na:A2i.A22)-T2-appropriate 
and  c2  is  A2i-IVprotected.  The  result  follows  by  induction. 

Case  8:  Suppose  the  derivation’s  root  is  Ti  b  7Tipi  t  Adi  ■<->  T2  b  p2  t  A2i.  Then  Tx  b 
Pi  t  Sa:An.Ai2  «  T2  b  p2  f  Ea:Adi .A22.  Since  7Ti px  is  An-Ti-appropriate,  it  follows  that  px 
is  ( E  a:  A'  1 1 .  A{  2)  -  Li  -  ap  p  r  o  p  r  i  a  te .  However,  by  Lemma  19  it  follows  that  Ad2  «  A{2-  Thus,  px  is 
s  (Eq' : Ai  1 . Ad 2 ) -L 1  -appropriate .  Similarly,  p2  is  (Ea:A2i.A22)-r2-appropriate.  The  result  follows  by  in¬ 

duction. 

Case  9:  Suppose  the  derivation’s  root  is  Ti  b  7r2pi  t  Ai2{7Tipi/a}  -H-  T2  b  ir 2p2  t  A22{7rip2/a}.  Then 
«  Ti  b  pi  f  Ea:An.Ai2  T2  b  p2  f  Ea:K2X.K22.  Since  (invoking  Lemma  15  (part  1)(  7r2pi  is  Kx2-Ti- 

appropriate,  it  follows  that  px  is  (Ea: Ad  A^-Id -appropriate.  However,  by  Lemma  19  it  follows  that 
An  «  Ad-  Thus,  pi  is  (Ea:An.Ai2)-ri-appropriate.  Similarly,  p2  is  (Eq: Adi •  A'22 )-r 2-appropriate. 
The  result  follows  by  induction. 

It  remains  to  show  that  expanded  constructors  are  protected. 
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Definition  21 


•  The  kind  T  is  T -protected. 

•  The  kind  S  (c)  is  T -protected  if  c  is. 

•  The  kinds  Ua-.K1.K2  and  Ha-.K1.K2  are  T -protected  if  both  K\  and  IC2  are. 


Lemma  22 

1.  If  p  is  K -T -appropriate  and  K  is  V -protected  then  R(p,K)  is  T -protected. 

2.  If  c  and  K  are  T -protected  then  R(c,  K)  is  K -r -protected. 

Proof 

By  induction  on  K. 

Case  1:  Suppose  K  =  T.  Part  2  is  trivial.  For  part  1,  we  wish  to  show  that  p  is  T-protected.  Let  p  be 
E[a]  and  suppose  p  =  C[ft\.  If  C  =  E  then  the  result  is  immediate.  Otherwise  C  chooses  [i  from  within 
one  of  the  argument  positions  in  the  path.  That  is,  £[]  =  I?i[(.E2[])(C'[/I])]  and  C[]  =  [(£^2 [cr]) (C" [ ])] . 

Since  p  is  T-F-appropriate,  C'[(3\  is  /F'-F-protected  (for  some  K'),  and  thus  is  C'[0\  is  F-protected.  Hence 
there  exist  C"  and  E'  such  that  C'[]  =  C"[E'[]}  and  E'[/3\  is  T-r-appropriate.  The  result  follows  choosing 
^i[C®2[<*])(C'"[])]  for  the  outer  context  and  E'  for  the  inner. 

Case  2:  Suppose  K  =  S(c').  Both  parts  are  trivial,  since  c'  is  F-protected. 

Case  3:  Suppose  K  =  Ha-.K1.K2.  Assume,  without  loss  of  generality,  that  a  $  Dom(r)  and  a 
is  not  free  in  c.  Then  a  is  trivially  /Fi-(F,  a:Afi  )-appropriate.  Therefore,  by  induction,  R.(a,  K\ )  is 
(r,a:A'1)-protected.  By  Lemma  17  (and  an  easy  induction  over  K2),  it  follows  that  A2{.R(a',  ATi)/a}  is 
(F, <a:A'1)-protected.  Using  Lemma  15,  /F2{A(q, A'i) /a}  is  also  F-protected. 

1.  Since  a  g  Dom(r),  a  is  F-protected.  By  induction,  R(a,K  1)  is  A'i -F-protected.  Thus  pR(a,K\ ) 
is  AVT-appropriate.  By  induction,  R(p R(a,  K\),  A2{i?(a,  A'1)/a})  is  T-protected.  By  Lemma  15, 
R(p,K)  =  Xa:Ki.R(p R(a, Ki),  K2{R(a, Ki) /a})  is  T-protected. 

2.  Since  a  is  not  free  in  c,  by  Lemma  15  c  is  (T,  a:A"i)-protected.  Thus  cR(a,  A'i)  is  (F,  a:A'i)- 
protected.  By  induction  R(cR(a,  Ki),  K2{R{a,  K\)/a})  is  A'2-(r,  arA'^-protected.  Hence  R{c,K) 
is  AT-r-protected. 

Case  4:  Suppose  AT  =  Ha-.K1.K2- 

1.  By  definition,  7Ti  p  is  A'i-r-appropriate  and  7r2p  is  A'2-r-appropriate.  By  induc¬ 
tion,  R(nip,Ki)  is  T-protected.  By  Lemma  17,  A'2{i? (71-ip,  A'i)/a}  is  T-protected,  so 
by  induction,  A(7r2p,  AT2{i?(7rip,  A'i)/q})  is  T-protected.  By  Lemma  15,  R(p,K)  = 
{R(niP,  A'i),  R(n2p,  K2{R{nlP,  A'i)/q}))  is  T-protected. 

2.  By  Lemma  15,  -K\c  and  7r2c  are  T-protected.  By  induction,  R(iX\C,  K\)  is  A'i -F-protected.  Therefore 
R{ri\C)  K\)  is  also  T-protected,  so  by  Lemma  17,  A'2{A(7Tic,  A'i  )/q}  is  T-protected.  By  induction 
i?(7r2c,  A'2{i?(7ric,  A'i)/o:})  is  AVT-protected.  Hence  R(c,K)  is  A'-F-protected. 


Lemma  23  If  T  h  ok  then  R(c,  A’){i?(r)}  is  K -T -protected. 

Proof 

Observe  first  that  since  T  h  ok,  whenever  T  =  Fi,a:A'',r2,  neither  a  nor  any  variable  in  Dom(r2)  can 
appear  free  in  K’ .  We  claim  that  for  any  c',  c'{J?(r)}  is  F-protected.  By  Lemma  5,  R{c,  K){R(T)}  = 
7?(c{jR(r)},  A'{A(r)}).  It  follows  from  the  claim  that  c{/?(r)}  and  A'{7?(F)}  are  F-protected,  and  there¬ 
fore,  by  Lemma  22,  R(c{R(T)} , K {R(T)})  is  (AT{A(r)})-r-protected.  Then  A(c{A(r)},  A'{i?(r)»  is 
Af-T-protected  as  well,  since  K  «  A'{i?(r)}. 
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We  prove  the  claim  by  induction  on  T.  The  base  case  is  trivial.  Suppose  then  T  =  a:K',  T'.  By  induction, 
c'{i?(r')}  is  T'-protected.  By  the  initial  observation,  neither  a  nor  any  variable  in  Dom(T')  is  free  in 
K' .  Therefore  K'  is  T-protected.  Also  T(q)  =  I\'  so  a  is  /T'-T-appropriate.  By  Lemma  22,  R(a, K')  is 
T-protected.  We  cannot  immediately  claim  by  Lemma  17  that  c'{i?(T)}  is  T-protected,  since  c'{R{T')} 
may  contain  free  occurrences  of  a  and  thus  might  not  be  T-protected.  However,  any  such  occurrences  are 
nonessential,  since  they  will  only  be  substituted  away.  We  make  this  explicit  with  a  change  of  variables. 
Let  /3  be  fresh.  Then  by  changing  variables  we  obtain: 

c'{R(T)}  =  c'{R(T')}{R(a,K')/a} 

=  c'{R(r')}{p/a}{R(a,K')/l3} 

Then  c'{A(r')}{,d/ai}  is  T-protected,  since  it  does  not  contain  a  free.  Therefore,  by  Lemma  17,  c'{f?(T)} 
is  T-protected. 


Corollary  24  If  T  b  ci  =  c2  :  K  then  there  exists  a  derivation  o/T  b  R(ci,  iT){i?(T)}  =  A(c2,  iT){jR(T)}  : 
K  that  is  mostly  free  of  singleton  elimination. 

Proof 

Suppose  T  h  ci  =  C2  :  K.  By  regularity,  T  b  ok.  By  Corollary  10,  T  b  R{c\,  K){R(T)}  :  K  <£>  T  b 
R(c2,K){R(T)}  :  K.  By  Lemma  23,  both  A^Ci,  ATfijifr)}  and  f?(c2,  A){A(r)}  are  LT-T-protected,  and 
each  weak  head  reduces  to  itself,  so  by  Lemma  20  the  algorithmic  derivation  is  free  of  singleton  reduction. 
Therefore  the  desired  derivation  exists  by  Theorem  12. 


4.4  Wrapping  up 

To  complete  the  first  half  of  the  proof,  we  need  only  the  fact  that  singleton  erasure  preserves  derivability  of 
judgements  with  mostly  singleton  free  derivations. 

Lemma  25 

1.  IfT  b  ci  =  C2  :  K  has  a  derivation  mostly  free  of  singleton  elimination,  then  T°  b sj  c\°  —  c2°  :  K°. 

2.  IfT  h  c  :  K  then  T°  hs/  c°  :  I<°. 

3.  If  T  b  K\  <  K2  then  K\°  =  K2°. 

4 ■  If  T  b  ok  then  T°  b5/  ok. 

Proof 

By  a  straightforward  induction  on  derivations. 


Corollary  26  If  T  b  d  =  c2  :  K  then  T°  bs/  (R(Cl,  K){R{T)})°  =  ( R(c2,K){R{T)})°  :  I<°. 


For  the  converse,  we  already  have  most  of  the  facts  we  need  at  our  disposal.  We  require  two  more  lemmas. 
One  states  that  the  algorithm  is  symmetric  and  transitive.  It  is  here  that  the  use  of  a  six-place  algorithm  is 
critical.  For  the  six-place  algorithm  it  is  easy  to  show  that  symmetry  and  transitivity  hold.  For  a  four-place 
»  algorithm,  on  the  other  hand,  it  is  a  deep  fact  depending  on  soundness  and  completeness  that  symmetry 

and  transitivity  hold  for  well-formed  instances,  and  for  ill-formed  instances  it  is  not  known  to  hold  at  all. 


Lemma  27 

1.  If  Ti  b  ci  :  AT  r2  b  c2  :  K2  then  T2  b  c2  :  AT2  Ti  b  ci  :  AT . 
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2.  IfYi  b  Ci  :  K\  <£>  r2  b  c2  :  iv2  and  T2  b  c2  :  K2  &  Y3  Y  C3  :  K3  then  Tj  b  ci  :  K\  b  C3  :  A'3. 


Proof 

By  inspection. 

The  other  lemma  states  that  if  singleton  reduction  is  not  employed  in  the  algorithm,  then  whatever  singleton 
kinds  appear  are  not  relevant  and  may  be  erased.  Moreover,  since  the  two  halves  of  the  algorithm  operate 
independently  (here  again  the  six-place  algorithm  is  critical),  we  may  erase  them  from  either  half  of  the 
algorithm. 


Lemma  28 

1.  IfY\  b  Ci  :  A'i  <3- Y 2  c-2  '■  K2  without  using  singleton  reduction,  then  Ti  b  Ci  :  A'i  T20  b  C20  :  K2° 

2.  If  Ti  b  pi  |  K\  44  To  b  p-2  f  Ko  without  using  singleton  reduction,  then  Tj  b  p\  f  A'i  44  To0  b  p2°  t 
K2°. 

Proof 

By  induction  on  the  algorithmic  derivation. 


It  is  worth  noting  that  the  algorithmic  judgement  in  Lemma  28  is  quite  peculiar,  in  that  T  is  ordinarily  not 
equal  to  T0  and  I<  is  ordinarily  not  equal  to  A'0.  Although  there  is  a  valid  derivation  of  this  algorithmic 
judgement,  the  soundness  theorem  does  not  apply,  so  it  does  not  correspond  to  any  derivation  in  the  declar¬ 
ative  system.  When  we  apply  this  lemma  below  we  will  use  transitivity  to  bring  the  assignments  and  kinds 
back  into  agreement  before  invoking  soundness. 


Lemma  29  //  Y  b  ci  :  K,  Y  b  c2  :  K,  and  Y°  bs/  (R(Cl,K){R(Y)})°  =  (A(c2,  AT){A(r)})°  :  K°  then 
Y  b  ci  =  c2  :  K. 

Proof 

By  Lemma  7,  T  b  ci  =  JF2(ci,  A'){A(r)}  :  K.  By  algorithmic  completeness,  T  b  ct  :  K  T  b 
R(c\,  A'){A(T)}  :  K.  By  symmetry  and  transitivity  of  the  algorithm,  Y  b  i?(ci,  A'){f?(r)}  :  K 
T  b  :  K.  Then,  by  Lemmas  23,  20,  and  28,  Y  b  R(cu  A'){A(T)}  :  I<  «  T°  b 

(A(ci,A"){A(r)})°  :  K°.  By  transitivity,  T  b  q  :  Jf  «  r°  b  (i?(ci,  AT){i?(r)})°  :  K°.  Similarly, 
T  b  c2  :  K  &  T°  b  (A(c2,  AT){i?(r)})°  :  K°. 

Since  the  singleton-free  system  is  a  subsystem  of  the  full  system,  we  have  by  algorithmic  completeness  that 
T°  b  (R(ci, K){R(Y)})°  :  K°  <$■  T°  b  (A(c2,  A'){i?(T)})0  :  K°.  Hence,  by  symmetry  and  transitivity, 
T  b  ci  :  A'  T  b  c2  :  A.  (Note  that  by  applying  transitivity,  we  have  swept  away  the  peculiarity  noted 
above.)  Therefore  T  b  ci  =  c2  :  K  by  algorithmic  soundness. 


This  completes  the  proof. 


5  Related  Work  and  Conclusions 


The  primary  purpose  of  this  work  is  to  allow  the  reification  of  type  equality  information  in  a  type-preserving 
compiler  for  a  language  like  Standard  ML,  thereby  eliminating  the  need  to  complicate  the  latter  phases 
of  the  compiler  with  singleton  kinds.  Within  this  architecture,  equality  (or  “sharing”)  information  would 
initially  be  expressed  using  singleton  kinds,  but  at  some  point  singleton  kind  elimination  would  be  exploited 
to  eliminate  them. 
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An  alternative  approach  for  dealing  with  type  equality  is  proposed  by  Shao  and  used  in  the  FLINT  com¬ 
piler  [12].  Shao’s  approach  is  formulated  as  a  direct  translation  from  a  source-level  module  calculus  to  a 
singleton-free  calculus  without  any  use  of  singleton  kinds.  However,  for  purposes  of  comparison,  Shao’s 
approach  may  be  seen  as  follows  [11]:  Equality  specifications  are  taken  as  straight  abbreviations  and  deleted 
from  signatures.  Then,  in  order  to  ensure  that  the  desired  subsignature  relationships  hold  (recall  the  intro¬ 
duction)  ,  when  a  structure  matching  a  signature  with  a  deleted  field  is  used  in  a  context  where  that  deleted 
field  is  required,  the  translation  coerces  the  structure  to  reinsert  the  deleted  field.  Thus,  Shao  interprets  the 
subsignature  relation  by  coercion,  whereas  this  paper’s  approach  interprets  it  by  inclusion,  which  may  be 
more  efficient.  Shao’s  work  also  differs  in  that,  since  the  meaning  of  Shao’s  modules  are  defined  in  terms  of 
their  translation,  it  has  no  analogue  of  the  correctness  theorem. 

Aspinall  [1]  studies  in  detail  a  related  type  system  with  singleton  types.  The  difference  between  singleton 
kinds  and  his  singleton  types  is  entirely  cosmetic  (this  work  could  just  as  easily  be  presented  as  singleton 
type  elimination),  but  various  other  technical  differences  between  his  system  and  this  one  make  it  unclear 
whether  the  same  elimination  process  would  apply  to  his  system  as  well.  Stone  and  Harper  [15]  compare 
this  system  to  Aspinall’s  in  greater  detail. 

An  implementation  of  this  paper’s  singleton  kind  elimination  procedure  in  the  context  of  the  TILT  compiler 
is  planned,  but  has  not  yet  been  done.  The  main  challenge  we  anticipate  in  this  implementation,  is  that 
singleton  kinds,  in  addition  to  expressing  type  equality  information  from  the  module  language,  are  also  very 
useful  for  expressing  type  information  compactly.  The  elimination  of  singleton  kinds  could  thus  substantially 
increase  the  space  taken  up  by  type  information.  This  issue  could  arise  two  ways;  first,  type  information  could 
take  up  more  space  in  the  compiler,  resulting  in  slower  compilation,  and,  second,  if  types  are  constructed 
and  passed  at  run  time  [6],  inefficient  type  representation  could  result  in  poor  performance  at  run  time.  Shao 
et  al.  [13]  discuss  a  number  of  ways  to  deal  with  the  former  issue,  such  as  hashconsing  and  using  explicit 
substitutions.  The  latter  issue  can  be  addressed  by  making  the  construction  and  passing  of  type  information 
explicit  [3]  and  doing  so  before  performing  singleton  elimination;  then  singleton  elimination  will  have  no 
effect  on  the  run-time  version  of  type  information. 


References 

[1]  David  Aspinall.  Subtyping  with  singleton  types.  In  Eighth  International  Workshop  on  Computer  Science 
Logic ,  volume  933  of  Lecture  Notes  in  Computer  Science ,  pages  1-15,  Kazimierz,  Poland,  September 
1994.  Springer- Verlag. 

[2]  Karl  Crary  and  Stephanie  Weiricli.  Flexible  type  analysis.  In  1999  ACM  International  Conference  on 
Functional  Programming,  pages  233-248,  Paris,  September  1999. 

[3]  Karl  Crary,  Stephanie  Weirich,  and  Greg  Morrisett.  Intensional  polymorphism  in  type-erasure  seman¬ 
tics.  In  1998  ACM  International  Conference  on  Functional  Programming ,  pages  301-312,  Baltimore, 
September  1998.  Extended  version  published  as  Cornell  University  technical  report  TR98-1721. 

[4]  Robert  Harper  and  Mark  Lillibridge.  A  type-theoretic  approach  to  higher-order  modules  with  sharing. 
In  Twenty-First  ACM  Symposium  on  Principles  of  Programming  Languages,  pages  123-137,  Portland, 
Oregon,  January  1994. 

[5]  Robert  Harper,  John  C.  Mitchell,  and  Eugenio  Moggi.  Higher-order  modules  and  the  phase  distinc¬ 
tion.  In  Seventeenth  ACM  Symposium  on  Principles  of  Programming  Languages,  pages  341-354,  San 
Francisco,  January  1990. 

[6]  Robert  Harper  and  Greg  Morrisett.  Compiling  polymorphism  using  intensional  type  analysis.  In  Twenty- 
Second  ACM  Symposium  on  Principles  of  Programming  Languages,  pages  130-141,  San  Francisco,  Jan¬ 
uary  1995. 


21 


[7]  Xavier  Leroy.  Manifest  types,  modules  and  separate  compilation.  In  Twenty-First  ACM  Symposium  on 
Principles  of  Programming  Languages,  pages  109-122,  Portland,  Oregon,  January  1994. 

[8]  Robin  Milner,  Mads  Tofte,  Robert  Harper,  and  David  MacQueen.  The  Definition  of  Standard  ML 
(Revised).  The  MIT  Press,  Cambridge,  Massachusetts,  1997. 

[9]  Greg  Morrisett,  Karl  Crary,  Neal  Glew,  and  David  Walker.  Stack-based  typed  assembly  language.  In 
Second  Workshop  on  Types  in  Compilation,  volume  1473  of  Lecture  Notes  in  Computer  Science,  pages 
28-52.  Springer- Verlag,  March  1998.  Extended  version  published  as  CMU  technical  report  CMU-CS- 
98-178. 

[10]  Greg  Morrisett,  David  Walker,  Karl  Crary,  and  Neal  Glew.  From  System  F  to  typed  assembly  language. 
ACM  Transactions  on  Programming  Languages  and  Systems,  21(3):527-568,  May  1999.  An  earlier 
version  appeared  in  the  1998  Symposium  on  Principles  of  Programming  Languages. 

[11]  Zhong  Shao,  1998.  Personal  communication. 

[12]  Zhong  Shao.  Typed  cross-module  compilation.  In  1998  ACM  International  Conference  on  Functional 
Programming,  pages  141-152,  Baltimore,  Maryland,  September  1998. 

[13]  Zhong  Shao,  Christopher  League,  and  Stefan  Monnier.  Implementing  typed  intermediate  languages.  In 
1998  ACM  International  Conference  on  Functional  Programming,  pages  313-323,  Baltimore,  Maryland, 
September  1998. 

[14]  Frederick  Smith,  David  Walker,  and  Greg  Morrisett.  Alias  types.  In  European  Symposium  on  Program¬ 
ming,  Berlin,  Germany,  March  2000.  To  appear. 

[15]  Christopher  A.  Stone  and  Robert  Harper.  Deciding  type  equivalence  in  a  language  with  singleton  kinds. 
In  Twenty-Seventh  ACM  Symposium  on  Principles  of  Programming  Languages,  Boston,  January  2000. 
To  appear.  Extended  version  published  as  CMU  technical  report  CMU-CS-99-155. 

[16]  D.  Tarditi,  G.  Morrisett,  P.  Cheng,  C.  Stone,  R.  Harper,  and  P.  Lee.  TIL:  A  type-directed  optimizing 
compiler  for  ML.  In  1996  SIGPLAN  Conference  on  Programming  Language  Design  and  Implementation, 
pages  181-192,  May  1996. 


» 


22 


A  Inference  Rules 


Well-Formed  Context 


r  h  ok 


e  b  ok 


(1) 


r  h  K  ag  Dom(r) 
r:  a:K  b  ok 


(2) 


Context  Equivalence 


H-  r\  =  r2 


hf  =  e 


(3) 


b  rx  =  r2  Ti  h  A'!  =  ifa  a  £  Dom(ri) 

TiyCt'.Ki  =  r2,a:X2 


(4) 


Well-Formed  Kind 


r  h  k 


r  I-  na:K\.K" 

r\-  K'2<  K[  r,  a:K'.>  I-  K”  <  K'i 
Tbn.a-.K[.K'{  <  Tlof.K2.K2 


(12) 


r  b  Y,ar.K!2.K" 

r  b  K[<  K'i  r,  a:K\  b  K"  <  K'i 
r  b  Ea:A'!  ,K'{  <  Y,a:K',.K'l 


(13) 


Kind  Equivalence 


r  h  kx  =  k2 


rbok 

(14) 

rbr  =  T 

r  b  ci  =  C2  :  T 
r  b  S(ci)  =  S{d) 

(15) 

r  b  Ko  =  K[  r,  a:K[  b  K'(  =  K'i 

(16) 

rbno^.if;'  =  Ua-.K'2.K'i 

r  b  K[  =  K'i  r,  <x:K[  b  K'i  =  K'i 

(17) 

T  b  E a:K[.K'i  =  T,a:K'2.K'i 

r  b  ok 
r  b  r 


(5) 


Well-Formed  Constructor 


rhc:  K 


T  b  c  :  T 

r  b  5(c) 

(6) 

T,  a:K'  b  K" 

(7) 

r  b  Ylor.K'.K" 

T,a:K'  b  K" 

(8) 

T  b  E a-.K'.K" 

rbok 

(18) 

rbfc:T 

r  b  ok 

r  b  a  :  r(a) 

(19) 

T,  a:K'  b  c  :  K" 

r  b  Xa-.K'.C  :  n a.K'.K" 

(20) 

Subkinding 


r  h  k  <  k' 


r  b  c  :  n a.K'.K"  T  b  c'  :  K' 

r  b  cc  :  K"{c' /a} 


(21) 


T  b  c  :  T 


r  b  5(c)  <  T 

(9) 

r  b  ok 

(10) 

TbT<T 

T  b  ci  =  C2  :  T 

(11) 

rb5(ci)<5(c2) 

r  b  c  :  E a.K'.K" 
r  b  7T1C  :  K' 


(22) 


T  b  c  :  E a.K'.K" 
r  b  7T2 c  :  K" {nic/a} 


T  b  Y,a:K'.K" 

T  b  ci  :  K' 
rbc2  :  K"{Cl/a} 

T  b  (ci,c2)  :  Yjcr.K' .K" 


(23) 


(24) 
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T\-c:T 
r  h  c  :  5(c) 


(25) 


r  h  ok 
Th  b  =  b  :T 


(38) 


T  I-  Ua:K'.K" 
r  h  wic  :  A" 

T  b  7 r2c  :  K" {itic/a} 
The:  Za.K'.K" 


The:  Ua-.K'.K" 
r,  a:K'  b  ca  :  K" 

r  b  c  :  Ua-.K'.K" 


(26) 


(27) 


The:  Ki  r  b  A'i  <  K2 
The:  K2 


(28) 


Constructor  Equivalence 


TY-c  =  c'\K 


r,  a:K'  b  ci  =  c2  :  K"  rbc',=  c'2  :  K' 
T  b  (A a:K'.a)c\  =  c2{^2/a)  :  K"{c\/a} 


T  b  ci  :  Ua-.K'.K 
T  b  c2  :  Ua-.K'.K^ 
T,a:K'hcia  =  c2a:K" 
r  b  ci  =  c2  :  Ua-.K'.K " 

T  b  Xa.K'.K" 

T  b  7Ti Ci  =  ttiC2  :  AT' 
r  b  7T2Cl  =  7r2C2  :  AT"{7TlCl/a} 
r  b  Cl  =  C2  :  Y,a:K'.K" 


(30) 


(31) 


rbok 


r  b  a  =  q  :  T(q) 


(39) 


r  b  K\  =  K'2  r,  q:A'S  b  Cl  =  C2  :  K" 
T  h  Xa:K[.ci  =  \a:K’2.c2  :  Ua-.K'.K" 


(40) 


r  b  c  =  c'  :  IIq:A'i  .K2  V  b  ci  =  c\  :  A'i 
r  b  CCI  =  c'c'i  :  A'2{ci/a) 


(41) 


r  b  Cl  =  C2  :  Ea-.K'.K' 
T  b  7TiCi  —  nic2  :  K' 


(42) 


r  b  ci  =  c2  :  Ua-.K'.K" 
r  b  7T2Cl  =  7T2C2  :  A'"{7TiCi/q} 

r  b  Y,a:K'.K" 

T  h  c'i  =  c'2  :  K' 

T  b  c'{  =  c'i  :  K"{c\/a} 
b  b  (c'i,Ci)  =  (c'2,c'i)  :  I,a:K'.K" 

T  b  ci  =  c2  :  A  r  b  K  <  K' 
r  b  Cl  =  c2  :  A" 


(43) 


(44) 

(45) 


r  b  Cl  =  cj  :  Ai  r  b  c2  :  k2 
r  b  7Ti (ci,c2)  =  ci  :  A'i 


(32) 


r  b  Cl  :  A'l  r  b  c2  =  c'2  :  K2 
r  b  7r2 (ci,  c2)  =  c'2  :  K2 


(33) 


r  b  c  :  S(c') 


r  b  c  =  c' 

:  T 

r  b  c  =  c' 

:  T 

r  b  c  =  c'  : 

5(c) 

r  b  c'  =  c 

:  K 

r  b  c  =  c' 

:  K 

(34) 

(35) 

(36) 


Thc  =  c'  :K  The'  =c"  :K 
r  b  c  =  c"  :  K 


(37) 
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